cryfs - cryptographic filesystem for the cloud
cryfs [-c file] [-f] [options]
basedir mountpoint
cryfs --help|--version|--show-ciphers
CryFS encrypts your files, so you can safely store them
anywhere.
The goal of CryFS is not only to keep file contents, but also file
sizes, metadata and directory structure confidential. CryFS uses
encrypted same-size blocks to store both the files themselves and the
block's relations to another. These blocks are stored as individual files in
the base directory, which can then be synchronized with cloud services such
as Dropbox.
The blocks are encrypted using a random key, which is stored in a
configuration file encrypted by the user's passphrase. By default, it
will be stored together with the data in the base directory, but you can
choose a different location if you do not want it in your cloud or when
using a weak passphrase.
While you can access your files through your mount
directory, CryFS actually places them in your base directory
after encrypting. CryFS will encrypt and decrypt your files 'on the fly' as
they are accessed, so files will never be stored on the disk in unencrypted
form.
You can choose any empty directory as your base, but your mount
directory should be outside of any cloud storage, as your cloud may try to
sync your (temporarily mounted) unencrypted files as well.
As the encryption key to your CryFS storage is stored in your
configuration file, it would be possible to re-encrypt it using a different
passphrase (although this feature has not been implemented yet).
However, this does not change the actual encryption key of your
storage, so someone with access to the old passphrase and configuration file
(for example through the file history of your cloud or your file system)
could still access your files, even those created after the password
change.
For this reason, the recommended way to change your passphrase is
to create a new CryFS storage with the new passphrase and move your files
from the old to the new one.
- -h, --help
- Show a help message containing short descriptions for all options.
- --show-ciphers
- Show a list of all supported encryption ciphers.
- --version
- Show the CryFS version number.
- --blocksize
arg
- Set the block size to arg bytes. Defaults to 32768.
A higher block size may help reducing the file count in your
base directory (especially when storing large files), but will also
waste more space when storing smaller files.
- --cipher
arg
- Use arg as the cipher for the encryption. Defaults to
aes-256-gcm.
- -c file,
--config file
- Use file as configuration file for this CryFS storage instead of
basedir/cryfs.config
- -f,
--foreground
- Run CryFS in the foreground. Stop using CTRL-C.
- --allow-filesystem-upgrade
- Allow upgrading the file system if it was created with an old CryFS
version. After the upgrade, older CryFS versions might not be able to use
the file system anymore.
- --allow-integrity-violations
- By default, CryFS checks for integrity violations, i.e. will notice if an
adversary modified or rolled back the file system. Using this flag, you
can disable the integrity checks. This can for example be helpful for
loading an old snapshot of your file system without CryFS thinking an
adversary rolled it back.
- --allow-replaced-filesystem
- By default, CryFS remembers file systems it has seen in this base
directory and checks that it didn't get replaced by an attacker with an
entirely different file system since the last time it was loaded. However,
if you do want to replace the file system with an entirely new one, you
can pass in this option to disable the check.
- --create-missing-basedir
- Creates the base directory even if there is no directory currently there,
skipping the normal confirmation message to create it later.
- --create-missing-mountpoint
- Creates the mountpoint even if there is no directory currently there,
skipping the normal confirmation message to create it later.
- --missing-block-is-integrity-violation=true
- When CryFS encounters a missing ciphertext block, it cannot cannot (yet)
know if it was deleted by an unauthorized adversary or by a second
authorized client. This is one of the restrictions of the integrity checks
currently in place. You can enable this flag to treat missing ciphertext
blocks as integrity violations, but then your file system will not be
usable by multiple clients anymore. By default, this flag is
disabled.
- --logfile
file
- Write status information to file. If no logfile is given, CryFS
will write them to syslog in background mode, or to stdout in foreground
mode.
- --unmount-idle
arg
- Unmount automatically after arg minutes of inactivity.
- -o option,
--fuse-option option
- Pass through options to the FUSE filesystem driver.
- For example:
- -o
allow_other
- This option overrides the security measure restricting file access to the
filesystem owner, so that all users (including root) can access the
files.
- -o
allow_root
- This option is similar to allow_other but file access is limited to the
filesystem owner and root. This option and allow_other are mutually
exclusive.
- CRYFS_FRONTEND=noninteractive
- With this option set, CryFS will only ask for the encryption passphrase
once. Instead of asking the user for parameters not specified on the
command line, it will just use the default values. CryFS will also not ask
you to confirm your passphrase when creating a new CryFS storage.
Set this environment variable when automating CryFS using
external tools or shell scripts.
- CRYFS_NO_UPDATE_CHECK=true
- By default, CryFS connects to the internet to check for known security
vulnerabilities and new versions. This option disables this.
- CRYFS_LOCAL_STATE_DIR=[path]
- Sets the directory cryfs uses to store local state. This local state is
used to recognize known file systems and run integrity checks (i.e. check
that they haven't been modified by an attacker. Default value:
${HOME}/.cryfs
mount.fuse(1), fusermount(1)
cryfs-unmount(1)
For more information about the design of CryFS, visit
https://www.cryfs.org
Visit the development repository at
https://github.com/cryfs/cryfs for the source code and the full list
of contributors to CryFS.
CryFS was created by Sebastian Messmer and contributors. This man
page was written by Maximilian Wende.